Secure Rest and SOAP services with Apache CXF

Conference Day - 21. Mai
Raum Rheinauen

Security is the common requirement for almost all of the web service related products and solutions. Apache CXF framework provides a wide range of the security features for REST and SOAP services. It supports a lot of security standards like OAuth, WS-Trust, WS-Security, WS-SecurityPolicy, WS-Federation. Because CXF is open source project with large community, everyone has opportunity to bring the new ideas, fix the bugs and even implement the new features and standards.

This session will briefly review CXF security features and illustrate them with the sample code. It shows the best practices to secure SOAP and REST services in standard way and explains how to use proprietary extensions. I will represent a real project with some specific security requirements - we will see how these requirements have been implemented using Apache CXF and discuss possible alternatives.

How to achieve federated security in CXF applications? Which security options are available for the REST service? Is it possible to use SAML token to authenticate browser client? How OAuth flow works? – all these questions will be discussed in the session. We will go through possible attacks and analyze how to protect application against them. Session also will give an overview of central certificates management, explains the role of XKMS service and Public Key Infrastructure. I will compare CXF with other Web Service frameworks like Jersey and Metro and give an overview of the future CXF features.

The main idea of this session is to present security aspects of the Apache CXF framework, illustrate them with concrete examples and discuss how to use these security features in your applications.

Andrei Shakirin

Andrei is software architect in Talend team developing the open source application integration platform based on Apache projects. His has expert knowledge in design and implementation of web security solutions. Andrei is committer of Apache CXF and Syncope projects. He is member of OASIS S-RAMP Work Group and speaker at Java and Apache conferences.